Save the Dates: Personal Data Protection Amendments Now in Operation
Introduction
On 19 December 2024, the Minister of Digital, by notification in a Gazette, appointed the following provisions of the Personal Data Protection (Amendment) Act 2024 (the “Amendment Act”) to come into operation in 3 stages, commencing on 1 January 2025, followed by the second phase on 1 April 2025, and the most notable amendments on 1 June 2025.
This staggered approach appears to provide an opportunity for businesses to prioritise preparations for each stage. As the most impactful amendments are set to take effect from 1 June 2025, businesses have approximately 5 months to ensure full compliance.
This follows from the gazettement of the Amendment Act on 17 October 2024 where notable amendments to the Personal Data Protection Act 2010 (“PDPA”) were introduced. We discussed in further detail the amendments introduced by the Amendment Act.[1]
Overview of the Key Amendments and Key Timelines
We set out below a summary of the three most significant amendments and the timeline of coming into operation where we discuss the remaining key amendments and stages further below:
No. |
Key Change |
Key Timeline |
1. |
Obligation of data processor to comply with security principle |
Stage 2: 1 April 2025 |
2. |
Appointment of data protection officer (DPO) |
Stage 3: 1 June 2025 |
3. |
Data breach notification |
Stage 3: 1 June 2025 |
Stages, Key Changes and Impact
Stage 1: 1 January 2025
The amendments under this stage are of low impact to businesses and only require administrative changes, if any.
Section 13 amending Section 136 of the PDPA
The Amendment Act expands and modernises the mode of service of a notice or such other document under the PDPA to include service done electronically. Businesses relying on electronic service must implement systems to document delivery receipts and timestamps to record proof of delivery.
Section 14 Saving Provision
The saving provisions under the Amendment Act take effect and provide, among others, that any order, directions, circular, notice and code of practice made or issued by the Commissioner before the commencement of the Amendment Act, shall be deemed to be issued as amended in accordance with the Amendment Act and remains valid.
Stage 2: 1 April 2025 onwards
The amendments coming into force under this stage are of moderate impact to businesses with the broadening of the applicability of the PDPA. The amendments will see businesses adopt “data controller” terminology in company policies, contracts and communication documents, and businesses acting as data processors in complying with the security principle, will have to implement changes to handling of personal data including strengthening of security measures and infrastructure. Businesses processing biometric data will also have to review and enhance their consent seeking processes.
Section 2 (General amendment)
The terminology “data controller” comes into effect in replacement of “data user”, in line with other jurisdictions. Businesses are advised to update company policies and ensure new contracts reflect accurate terminology.
Section 3 amending Section 4 of the PDPA
This amendment enhances the defined terms of the PDPA including:
Expansion of “sensitive personal data” to include biometric data;
“Personal data breach” is now defined to mean any breach of personal data, loss of personal data, misuse of personal data or unauthorised access of personal data;
A deceased individual is expressly excluded as a data subject, effectively excluding the protection of PDPA for personal data of a deceased individual.
Businesses processing biometric data will need to review their consent seeking mechanisms to ensure express consent is obtained from the data subjects. Businesses will also need to balance between no longer having to comply with PDPA requirements in processing a deceased individual’s personal data with sensitivity and ethical concerns.
Sections 4 and 5 amending Sections 5 and 9 of the PDPA
Data processors are now directly obligated to comply with the Security Principle and the obligations therein, similar to that which previously bound only the data users (data controllers). Businesses acting as data processors will have to enhance security measures and internal data processing processes.
Sections 10 and 12 amending Sections 48 and 129 of the PDPA
Section 10 read together with Section 12 of the Amendment Act sees the removal of the whitelist for transfer of personal data outside Malaysia. From 1 April 2025, data controllers can transfer personal data outside of Malaysia with substantially similar data protection laws in place.
Stage 3: 1 June 2025 onwards
The amendments under this stage are of high impact to businesses, requiring active measures to be put in place. Relevant businesses must appoint a mandatory data protection officer (DPO), which may require additional training to be provided for the chosen DPO. Internal data breach notification mechanisms must also be introduced to ensure the business is ready to act in compliance with the law in the event of a data breach.
Section 6 introducing Division 1A (Section 12A and Section 12B) to the PDPA
Section 12A Appointment of Data Protection Officer (“DPO”)
Relevant data controllers and data processors are now required to appoint a DPO responsible for ensuring compliance with data protection regulations. The Public Consultation Paper 02/2024 published by the Commissioner indicates that the intention is for certain types of data users/data controllers only to appoint a DPO, based on the nature and volume of personal data processed, to prevent this requirement from being overly burdensome. Further information to follow pending introduction of subsidiary legislation clarifying the DPO requirement.
Section 12B Data Breach Notification
Data controllers must notify the Commissioner as soon as practicable if there is reason to believe that a data breach has occurred. Notification must also be made to the data subject as soon as possible if the breach is believed to cause significant harm to the data subject. The Public Consultation Paper 01/2024 published by the Commissioner indicates that the intention is for there to be notification thresholds for a data breach, subject to scale or harm caused by the breach. Further information to follow pending introduction of subsidiary legislation clarifying the data breach notification requirement.
Section 9 introducing Section 43A of the PDPA
Data subjects now have the right to data portability, allowing them to request transmission of their personal data to another data controller of their choice. Data controllers must put in place internal mechanisms to allow for this request and the transfer of personal data, subject to the technical feasibility and compatibility of the data format.
Conclusion
With the appointed dates in mind, entities acting as data controllers or data processors, or engaging one, must ensure that operational preparations and arrangements are in place or being made, in order to meet the requirements and ensure timely compliance with the new legal framework.